sipXecs is an open source PBX server built on Freeswitch for the core of it’s SIP functionality.

To explain: SIP is the industry standard for VoIP systems, which allow you to have a telephone system (amoungst other things!) that operates over a computer network.

However, due to a long and somewhat rocky path, the documentation is slightly odd. The project currently lives at SIPfoundry, with the downloads hidden on a page with nothing in common with the rest of the site, and ISOs hidden one folder deep, (seehere). Fortunatly this is easier to get to from the other useful location, the sipXecs wiki.

But before you simply assume that SIPfoundry is the latest company to own the copyrights and trademarks, it simply isn’t this simple. SIPfoundry is actually a non-profit organsiation setup by the orginal commercial creators of sipXecs. But of course, they have been bought and sold a few times, and now are sponsored by eZune, a company formed by members of the community and some of the orginal engineers who started the project off. eZune now provides commerical support.

But enough of that. Sadly, there are parts of sipXecs which are less than ideally documented, but most of it is simply rather hard to find. Like how to set up your Windows based DNS server you happen to already have and which are intergrated into somewhat complex things like Active Directory and exchange, to play nicely with SIP and autoconfiguring phones,which honestly is rather cool. Based on netbooting protocols, it does need seveal changes to make it all work.

Fortunatly, buried under what feels like 4 million links, there is a really quite good PDF on the DNS configration! Do note, that it states it was written back in 2007. Windows DNS setup for sipXecs

ITX Security NCX-2000P CCTV camera information and sort of review – see the manufacturers website for their ‘spec’ sheet! www.itxsecurity.com/eng/

Why there is no documentation and no mention of this camera anywhere on the web beats me. Maybe it’s the small relatively unknown Koreon manufacturer, but it’s hard, really hard to track down. It seems to be a nice, sensible camera, espeically for transitioning from analogue to digital CCTV. It features:

both a composite video out (switchable between PAL and NTSC) and 10/100M Ethernet IP networking with rtp/rtsp streams in H.264 and/or MJPEG

a choice of 12v DC, 24v AC or Power over Ethernet

2 way audio and general purpose input/output pins – obviously both need extra hardware to work

So if your camera has failed, and you want to start moving from analogue CCTV to digital, it’s an ideal option as it won’t become reduant immediately on upgrading, you’ll simply be able to move it over to the new system.

Now onto the fact it has not just little, but seemingly no documentation beyond the ‘spec sheet’ ITX provide on their website. Let me open a few little details up for you.

Web browser

The spec seems to imply that you could use almost any browser with this camera. Just see their impressive list: Internet Explorer 7.0 or above, Firefox, Chrome, PDA/Smart phone. Now, while all these can admittedly, edit the settings for the camera, they cannot view the live video feed in the built in viewer. This is only possible in Internet Explorer for the simple reason that it requires a ActiveX plugin to be installed to function. Fear not however, for the data can be liberated!

RTSP streams

However, all the ActiveX plugin does is provide an in browser RTSP/RTP viewer. With the correct software, such as VLC or a number of other media players, this can be played back directly. However, revealing the address you need is far from simple! The method that was eventually successfull was using Wireshark to disect the packets themselves to find the address request by the ActiveX viewer. However, here they are for all to enjoy!

Stream

Codec

RTSP address

1st

H.264

rtsp://192.168.0.101/live/main/

2nd

MJPEG or H.264

rtsp://192.168.0.101/live/second/

RTP didn’t seem to want to play easily with VLC player, and this seems to do what I’m looking for, so no need to go any further. Hopefully this can help other to use this camera in many projects, and break free from using that manufacturers software.

Instructions on how to get DansGuardian and Squid to do auth against an Windows Server 2008 R2 Active Directory, to allow multi-group filtering options. To help with managing the server webmin is set up along side. This assumes you’re going to run this with one ethernet port to the local network, and that you have DNS servers that are stable on the network.

Install Debian

Install Debian from CD1, normal istall mode is fine. Mostly just answer the questions as normal except when you get to “tasksel”, unmark “Grahical Desktop environment” and mark “SSH server”. If it’s just a proxy, you don’t need anything else!

Once you’ve rebooted after installing Debian, log in and use “ifconfig” to find you IP address (unless you entered a static one during install), then you can complete the rest of these instructions via SSH (and copy/paste the commands in!). I also personally prefer to edit the config files via SCP so I get to use a pretty GUI text editor.

Then issue /etc/init.d/networking restart to change to the new IP settings. Remeber if you do this via SSH you will have to connection dropped and you’ll need to log in again.

Add Webmin repository

Webmin isn’t included in the standard Debian repository, but never fear, it’s got it own so we’ll get regular updates.

Add the following to the end of /etc/apt/sources.list:# webmin repository
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Now run the follwing three commands to download and install the GPG signing key used: cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc

Update repositories and upgrade packages

Next we’ll update the repository list and then apply any updates so we’re kept secure.apt-get update
apt-get upgrade

Install our packages!

Now onto the install itself! The following command will install everything we need: Samba, Squid, DansGuardian, Webmin and a few dependencies on the side. It asks for the debian install CD to be inserted part way in, and depending on the speed of your internet connection could take several minutes.apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

It will ask to specify your workgroup/domain you want the server to be in, enter your domain in caps like this: EXAMPLE and not like this EXAMPLE.LOCAL

Configure Kerberos

Next a small bit of configration to take care of: dpkg-reconfigure krb5-config
It will ask for:

Default Kerberos version 5 realm: EXAMPLEDOMAIN.LOCAL

Add locations of default Kerberos servers to /etc/krb5.conf? No

Configure NTP with your domain

Networks run better when all the machines have the same time, so we’ll change us from getting Network Time Protcotol updates from Debians servers to just using our domain controller.

Under the “Misc” section, find the following two lines: ; idmap uid = 10000-20000
; idmap gid = 10000-20000
and uncomment them (remove the ‘;’ from the begining of each line.)

At this point add the following three lines, just above the next section marked “Share Definitions” winbind trusted domains only = yes
realm = EXAMPLEDOMAIN.LOCAL
winbind cache time = 3600

All done for smb.conf, so save and exit.

Prepare to join the domain

Restart samba, winbind and synchronize the time with the domain controller.net time set -S domaincontroller
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Join the domain

First reboot: this may not be needed but it seems to help. Join the machine to the domain: kinit Administrator
net ads join -U Administrator
You’ll be asked for the password of the domain user you specify at the end of the command, once for each command. You should get: root@proxy:~# kinit Administrator
Password for Administrator@EXAMPLEDOMAIN.LOCAL:
root@sbproxy:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLEDOMAIN
Joined 'PROXY' to realm 'exampledomain.local'

As this sometimes gives a positive result without actually doing what’s required, the following is an essential check: wbinfo -t
This should give: checking the trust secret for domain EXAMPLEDOMAIN via RPC calls succeeded. If this step fails, you can’t procede. Rebooting a few times and starting from the begining of ‘Join the domain’ should fix it.

Final checks on having the domain auth working, try these to commands, the first of which should all the users in the domain (which does mean it can take some time!) and the second of which should list all the groups on the domain. wbinfo -u
wbinfo -g

Configure Squid

Make a backup copy of /etc/squid/squid.conf before we start to edit it.

Add the following three lines below the block of #auth_param that are there, leave them incase you want to change something in the future. auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic realm exampledomain

Comment out this line (shortly after the above code): http_access allow localhost

Squid needs access to /var/run/samba/winbindd_privileged We can easily fix this but the permissions will reset when we reboot. So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot. Create /etc/init.d/winbind-ch.sh and paste the following into it. You need to set it’s permissions to 755 to allow excution. You can download a copy of this in a file from www.petespcs.co.uk/dangerous/windbind-cd.sh#!/bin/sh
#set -x
WINBINDD_PRIVILEGED=/var/run/samba/winbindd_privileged
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
}
case "$1" in
start)
chmodgrp
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
#EOF
Following this run update-rc.d winbind-ch.sh start 21 2 3 4 5 . to finish that off.

Configure Dans Guardian

Make a backup copy of /etc/dansguardian/dansguardian.conf before we start to edit it.

First, a simple edit: comment out the line UNCONFIGURED - Please remove this line after configuration

Find the line filtergroups = 1 and change it to however many filter groups you feel you need, but be warned that the webmin interface can only handle so many.

/etc/dansguardian/dansguardianf1.conf as a backup, and then make copies for each of your filter groups, so if you have 3 filter groups, you’ll need 3 files called: /etc/dansguardian/dansguardianf1.conf
/etc/dansguardian/dansguardianf2.conf
/etc/dansguardian/dansguardianf3.conf

No edits needed on them, it can all be easily done from Webmin later

Setup Webmin

Open a web browser to https://yourproxyip:10000/ and log in with root. Go to Webmin > Webmin Configuration > Webmin Modules Select “From ftp or http URL” and paste the link below into the dialog box and click Install Module. http://downloads.sourceforge.net/project/dgwebminmodule/dgwebmin-stable/0.7/dgwebmin-0.7.1.wbm
You might want to check the SourceForge site for a newer version, see http://sourceforge.net/projects/dgwebminmodule/. You can get the address for the link above by going to download the lastest version, but when offered the download, cancel it and right click on the direct download link and select “Copy link location”.

Due to Debian choosing to install programs to slightly different location to others, you need to change a few of the settings in the Dans Guardian webmin module configration. Go to Servers > DansGuardian Web Content Filter > Module config and change Full path to DG binary to /usr/sbin/dansguardian We also need to remove rc.d/ from “Command to restart DG”, “Command to start DG” and “Command to stop DG”.

Setup regular blocklist updates

Shallalist provides freee for non-commerical use (including education) url and domain blocklists. They update these upto every 24 hours. A simple cron job can be setup to download these, all thats needed is a simple shell script. You can download a copy from www.petespcs.co.uk/dangerous/updatebl.sh

To create a cron job in Webmin, go to System > Scheduled Cron Jobs then click on “Create a new scheduled cron job.”. The answers I recommend you enter are:

Execute cron job as root

Command /path/to/updatebl.sh

When to execute Times and dates selected below ..

Mintues Selected .. 1

Hours Selected .. 0

Days All

Months All

Weekdays Selected .. Monday, Tuesday, Wednesday, Thursday, Friday

Click create and then you’ll be back at the list of cron jobs. Click on the one at the bottom of the list which will be the one you’ve just created, click on it to open it and click on “Run now” to make sure it works correctly and doesn’t give any errors, and also to put the blacklists in place to start with.

I recommend these settings as the blacklists are updated a maximium of once over 24 hours. The script will run while no-one is likely to be around, so won’t be interputed by DansGuardian restarting, but will only run on weekdays, so if it goes wrong for whatever reason – they don’t include one of the catagories for example – you’ll be there before anyone notices…just incase someone comes in on Saturday and finds that it’s not working!

To work with these blacklists, you’ll need to modify your /etc/dansguardian/lists/bannedurllist and /etc/dansguardian/lists/bannedsitelist files, otherwise DansGuardain won’t start as it won’t be able to find the files that are referenced. Example files are attahced, which matched the lists provided by Shalla in October 2011. For your ease they contain descriptive comments on each list, and all lists are commented out so they as they stand block nothing. Just uncomment the .Include lines that fit with what you want to block. You can find the same files at www.petespcs.co.uk/dangerous/bannedurllist and www.petespcs.co.uk/dangerous/bannedsitelist

A quick shot of the inside of the BT Openreach Infinity VDSL2+ modem/router/bridge, which comes in a box labeled Huawei Echolife HG612. See Huawei’s page for the HG612 (link now broken). However, it is clear we have a modified stripped down version of the device, as there are no wireless features visible either internally or externally. This also means we have no access to any configuration pages it has (as yet).

A quick note on opening this thing: there are 4 Philips/Pozidrive/crosshead screws under the outer ends of the rubber feet, you don’t actually need to pull the feet fully off to get to the screws. There’s also a really annoying clip in the middle of the ‘front’ (opposite the connectors) of the box. This is easily dealt with by opening up the back edge slightly, and sliding in a long screwdriver to give a gentle push out on the front. The top then simply lifts off. Re-assembly is easy, it simply clicks in place.

There is but one other problem with this box: namely, it regularly ends up disconnecting from the broadband line, intermittently at first, then more and more often until it can’t keep a connection at all. This happens our about 2 months for me, keeping the modem flat, sitting on it’s feet on a shelf.

The problem with this box is, unsurprisingly given how few vents are on it, heat. Take out the 4 screws from under the outer ends of the feet, and whack a big fan onto it, and it sits, even after cooking itself stupid for 2 months, happy as anything, cool as a cucumber. There are reports that if you wall mount this box in the vertical position then the vents actually work! However, I have not tried this, so cannot say. It may be enough to stop a new box cooking itself, but not to fix an already problematic box.

I’m sure that in time I will be trialling a new modem in the upright wall mount position, and if there’s still no joy I will be having a go at modding that one so an external power supply is not needed, even mounting the fan within the box, a small CPU fan should do the job after all. If you do intend to do this, it’s worth bearing in mind that offically these boxes still belong to BT Openreach, so you might not want to damage it too much.

One final picture to give hardware hackers another excuse to break into these boxes, a lovely block of headers, marked RX, NULL, VCC, GND, TX, and another row is a JTAG connection from my brief research. Hopefully this might lead to some 3rd party firmware, so we can access some stats from this and use some of it’s other features. Also interesting to note is the ‘Internet’ LED space for 2 LEDs, I assume one green and one red to indicate the state of the PPPoE connection when this box is used to handle it. BT of course uses the home hub for this, but actually you can use any PPPoE cable router or simply a computer. I personally hook mine to a m0n0wall box.